There is a tsunami of bad heading our way

Michael Hayden Four star general Director of the NSA Director of the CIA Director of National Intelligence

Edward Snowden Age 30 College dropout

Admins have the keys to the kingdom

You’re an Admin PWNED!!!

Hunting and Hacking System Administrators “Who better to target than the person that already has the ‘keys to the kingdom’?”

PS> Enter-PSSession Server1 FAIL! – Talk to your supervisor for assistance “Jeffrey I need to be admin on Server1 to restart SQL” PS> Enter-JeaSession Server1 –Name Maintenance Server1> Restart-Service MSSQLSERVER  Server1> Steal-Secrets Error: You are not authorized to Steal-Secrets “No Eddie.

Just use Jea and connect to the ‘Maintenance EndPoint” Server1

JeaToolkit JeaEndPoint JeaEndPointAccount

JeaEndpointAccounts puts the server in a blast container Avoid domain accounts and Group Managed Service Accounts [GMSA] because they extend any breach to all servers that these accounts have access to

Configuration { foreach ( FileServers $node in Get-FileServers ) { Node $node { Module JeaToolkit { StorageTools CommandSpecs = @' Storage SMBShare '@ } JeaEndpoint { ToolKit StorageAdmin SecurityDescriptorSddl } } } } = = 'StorageTools‘ 'O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;RM)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)' FileServers -OutputPath Start-DscConfiguration .

.\FileServers -ComputerName ( Get-StorageServers )

JeaToolkit { Name SQLMaintenace = ‘SQLMaintenance’ CommandSpecs = @' Module,Name,Parameter,ValidateSet,ValidatePattern SQL,GET-* ,Get-Process ,Get-Service ,Stop-Process,Name,calc;notepad ,Restart-Service,Name,,^SQL '@ }

JeaToolkit { Name SQLMaintenace CommandSpecs = "SQLMaintenace" = cat .\SQL.csv -raw }

command visibility

Command visibility

proxies

proxies

$cmd = Get-Command Stop-Process $MetaData = New-Object System.Management.Automation.

CommandMetaData $cmd $MetaData.

Parameters.Remove("ID") $metaData.Parameters.

Name.Attributes

.Add((New-Object ` System.Management.Automation.

ValidateSetAttribute ("notepad","calc") $MetaData.DefaultParameterSetName="Name“ ${Function:Stop-Process} = [System.Management.Automation.

ProxyCommand]::create ($MetaData) $cmd .Visibility = "private"

• • PowerShell Remoting connects to Configurations • • • • Name ACL StartupScript RunAsCredentials Get-Command *PSSessionConfiguration Server1

$cred = Get-Credential #Provide account w/local admin privs Register-PSSessionConfiguration ` -Name Maintenance` -ShowSecurityDescriptorUI ` -StartupScript c:\Jea\Initialize-Maintenance.ps1 ` -RunAsCredential $Cred Enter-PSSession -ComputerName Server1 ` -ConfigurationName Maintenance

$ExecutionContext.SessionState.LanguageMode = NoLanguage ConstrainedLanguage FullLanguage

$ss = $ExecutionContext.SessionState

$ss.Scripts.Clear() $ss.Applications.clear() $s.Applications.add("C:\windows\system32\calc.exe") (Get-Command restart-computer).visibility=“private” Always hide Invoke-Expression New-Object

Get-Module $Module | % {$_.LogPipelineExecutionDetails = $true}

$user = $PSSenderInfo. ConnectedUser Send-MailMessage –Message “$user on machine $(hostname)” $today = [DateTime]::NOW.DayofWeek

If ($today –in “Saturday”,”Sunday”) { throw “GO HOME”}

$myid = $ExecutionContext.host.Runspace.InstanceId

Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational where {$_.properties.Value -match "Runspace ID = $myid" } | foreach { New-Object PSObject –Property @{ Command = $_.Properties[2].Value Time = $_.TimeCreated

} } |

BlackHat 2010 Q: What do we do about all these attacks?

A: “Man up and defend yourselves!”

Jea – Just Enough Admin PowerShell role-based administration to secure a post-Snowden world

For More Information

Windows Server 2012 R2 http://technet.microsoft.com/en-US/evalcenter/dn205286 System Center 2012 R2 http://technet.microsoft.com/en-US/evalcenter/dn205295 Azure Pack http://www.microsoft.com/en-us/server cloud/products/windows-azure-pack Microsoft Azure http://azure.microsoft.com/en-us/ Come Visit Us in the Microsoft Solutions Experience!

Look for Datacenter and Infrastructure Management TechExpo Level 1 Hall CD

http://channel9.msdn.com/Events/TechEd www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn